I have no config but at least some quick ideas. Organize the config file as such:
General settings (like $ModLoad) should go first. Then, actions that should always happen should come first. At the bottom of the file should be actions that occur only once. Use the discard action ~ (tilde) to get rid of those messages that you already processed and no longer need to care about. A quick sample might be this (just with files, but I hope it gets the idea): *.* /file-always *.info /file-info *.info ~ # discard these message - end of processing for them *.* /file-all-but-info *.err /file-err *.err ~ # get rid of err *.* /file-all-but-info-err I think this will get you a bit further. In v3, we already have a better way of doing things, but the ultimate solution will be implemented in the coming weeks (full scripting). I understand this is not of help here, but I thought I mention it. Rainer > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:rsyslog- > [EMAIL PROTECTED] On Behalf Of Kielek, Samuel > Sent: Thursday, June 05, 2008 4:56 PM > To: [email protected] > Subject: [rsyslog] Central loghost using RHEL5.2 rsyslog > > I'm trying to set up a central loghost (UDP and TCP) using the version > included in RHEL. I've have come up with several partially working > configs but none work exactly as I need. > > As of RHEL 5.2 rsyslog is now included, which is great news. Here's the > version: > > > $ rpm -q rsyslog > rsyslog-2.0.0-11.el5 > > $ /sbin/rsyslogd -v > rsyslogd 2.0.0, compiled with: > FEATURE_PTHREADS (dual-threading): Yes > FEATURE_REGEXP: Yes > FEATURE_LARGEFILE: Yes > FEATURE_NETZIP (message compression): Yes > SYSLOG_INET (Internet/remote support): Yes > FEATURE_GSSAPI (GSSAPI Kerberos 5 support): No > FEATURE_DEBUG (debug build, slow code): No > > See http://www.rsyslog.com for more information. > > > > In a nutshell, here's what I need my config to have: > > 1.) TCP and UDP logging > > 2.) Local messages from the loghost itself go to /var/log/... > > 3.) Remote messages go to /syslog/YYYY/MM/DD/HOSTNAME/... > > 4.) Additionally, I have several logs that are matched on the message > content and go into separate log files. > > 5.) All messages go into a named pipe (which a 3rd party security tool > reads from and analyzes the data) > > >From the above, numbers 2, 3 and 4 are the one's I'm having trouble > with. Individually I can make each work but getting them all working in > harmony has been a bit of a battle... I want to avoid duplicate logging > so that the local loghost logs are in /var and remote logs in /syslog. > Additionally, the messages that are matched on their content I want to > ONLY show up in the files designated for them. However, the named pipe > should get everything. > > If anyone has a similar config for this version of rsyslog that they > could share I'd appreciate it immensely. > > Thanks, > Sam > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
